Cryptography in the Wild: An Empirical Analysis of Vulnerabilities in Cryptographic Libraries

The security of the Internet and numerous other applications rests on a small number of open-source cryptographic libraries: A vulnerability in any one of them threatens to compromise a significant percentage of web traffic. Despite this potential for security impact, the characteristics and causes of vulnerabilities in cryptographic software are not well understood. In this work, we conduct the first systematic, longitudinal analysis of cryptographic libraries and the vulnerabilities they produce. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for all widely used cryptographic libraries. In our investigation of the causes of these vulnerabilities, we find evidence of a correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases. Among our most interesting findings is that 48.4% of vulnerabilities in libraries written in C and C++ are either primarily caused or exacerbated by memory safety issues, indicating that systems-level bugs are a major contributor to security issues in these systems. Cryptographic design and implementation issues make up 27.5% of vulnerabilities across all libraries, with side-channel attacks providing a further 19.4%. We find substantial variation among core library components in both complexity levels and vulnerabilities produced: for instance, over one-third of vulnerabilities are located in implementations of the SSL/TLS protocols, providing actionable evidence for codebase quality and security improvements in these libraries.